mirrors/kyverno
mirrors/kyverno
1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2025-03-06 16:06:56 +00:00
Code Activity
3245 commits 16 branches 550 tags 288 MiB
Commit graph

68 commits

Author SHA1 Message Date
Yashvardhan Kukreja
72aa739395 feat: added kyverno_admission_review_latency_milliseconds metric 
Signed-off-by: Yashvardhan Kukreja <yash.kukreja.98@gmail.com>
 2021-05-24 08:06:40 +05:30
Yashvardhan Kukreja
b8f8a47d8d feat: added kyverno_policy_rule_execution_latency_milliseconds metric 
Signed-off-by: Yashvardhan Kukreja <yash.kukreja.98@gmail.com>
 2021-05-24 08:06:36 +05:30
Yashvardhan Kukreja
43a138a12b feat: added kyverno_policy_rule_results_info metric 
Signed-off-by: Yashvardhan Kukreja <yash.kukreja.98@gmail.com>
 2021-05-24 08:05:14 +05:30
shuting
adcb89a1b5
Update to use gvk to store OpenAPI schema (#1906) 
* bump swagger doc to 1.21.0

Signed-off-by: Shuting Zhao <shutting06@gmail.com>

* stores openapi schema by gvk

Signed-off-by: Shuting Zhao <shutting06@gmail.com>

* fix schema validation in CLI

Signed-off-by: Shuting Zhao <shutting06@gmail.com>

* add missing resource lists

Signed-off-by: Shuting Zhao <shutting06@gmail.com>

* add e2e tests

Signed-off-by: Shuting Zhao <shutting06@gmail.com>

* address review doc comments

Signed-off-by: Shuting Zhao <shutting06@gmail.com>
 2021-05-13 12:03:13 -07:00
Pooja Singh
434a4cdb14
Bug fix/1783 generate endlessly (#1804) 
* debug

Signed-off-by: NoSkillGirl <singhpooja240393@gmail.com>

* bug fix

Signed-off-by: NoSkillGirl <singhpooja240393@gmail.com>

* error handling

Signed-off-by: NoSkillGirl <singhpooja240393@gmail.com>

* added resource cache

Signed-off-by: NoSkillGirl <singhpooja240393@gmail.com>

* reverting back to api call attempt

Signed-off-by: NoSkillGirl <singhpooja240393@gmail.com>
 2021-04-26 12:58:34 -07:00
Pooja Singh
ca5a4e1986
added multiple item logic for clone in generate policy (#1744) 
Signed-off-by: NoSkillGirl <singhpooja240393@gmail.com>
 2021-03-29 22:36:16 -07:00
Pooja Singh
a0ddd2c184
Added validate logic for generate to handle multiple items in array (#1727) 
* added validate logic for generate

Signed-off-by: NoSkillGirl <singhpooja240393@gmail.com>

* format fix

Signed-off-by: NoSkillGirl <singhpooja240393@gmail.com>

* gofmt fix

Signed-off-by: NoSkillGirl <singhpooja240393@gmail.com>

* added test cases

Signed-off-by: NoSkillGirl <singhpooja240393@gmail.com>
 2021-03-25 17:04:43 -07:00
Shuting Zhao
c3360b7389 make the number of generate workers configurable 
Signed-off-by: Shuting Zhao <shutting06@gmail.com>
 2021-03-22 19:14:06 -07:00
Vyankatesh Kudtarkar
9e831ec959
Bug Fix: Extends match / exclude to use apiGroup and apiVersion (#1218) (#1656) 
* Extends match / exclude to use apiGroup and apiVersion

Signed-off-by: vyankatesh <vyankatesh@neualto.com>

* fix gvk issue

Signed-off-by: vyankatesh <vyankatesh@neualto.com>

Co-authored-by: vyankatesh <vyankatesh@neualto.com>
 2021-03-04 16:45:52 -08:00
shuting
267be0815f
Bug fixes - policy validation, auto-generated rules, apiCall support in mutate and generate (#1629) 
* Fix invalid policy reports generated for blocked resource

Signed-off-by: Shuting Zhao <shutting06@gmail.com>

* fix 1464 - copy context and preconditions to auto-gen rules

Signed-off-by: Shuting Zhao <shutting06@gmail.com>

* fix 1628 - add policy validations

Signed-off-by: Shuting Zhao <shutting06@gmail.com>

* fix 1593 - support apiCall in mutate and generate

Signed-off-by: Shuting Zhao <shutting06@gmail.com>

* fix test

Signed-off-by: Shuting Zhao <shutting06@gmail.com>
 2021-02-22 12:08:26 -08:00
Pooja Singh
0de83ebe17
code improvement (#1567) 
* code improvement

Signed-off-by: NoSkillGirl <singhpooja240393@gmail.com>

* added if conditions

Signed-off-by: NoSkillGirl <singhpooja240393@gmail.com>

* fixed unit test cases

Signed-off-by: NoSkillGirl <singhpooja240393@gmail.com>
 2021-02-10 10:28:50 -08:00
Pooja Singh
4788085c4f
Panic fix in generation.go (#1563) 
* added if condition

Signed-off-by: NoSkillGirl <singhpooja240393@gmail.com>

* fixed test condition

Signed-off-by: NoSkillGirl <singhpooja240393@gmail.com>
 2021-02-09 10:34:57 -08:00
Yashvardhan Kukreja
d141f74015
performed cleanups (#1552) 2021-02-07 21:19:25 -08:00
shuting
2f2d6c2e38
Upgrade client libraries to 0.20.2 (#1547) 
* upgrade clients to 0.20.2

Signed-off-by: Shuting Zhao <shutting06@gmail.com>

* remove debug log

Signed-off-by: Shuting Zhao <shutting06@gmail.com>

* fix unit tests

Signed-off-by: Shuting Zhao <shutting06@gmail.com>

* fix e2e test

Signed-off-by: Shuting Zhao <shutting06@gmail.com>
 2021-02-07 20:26:56 -08:00
Pooja Singh
32522e7827
namespace selector (#1532) 
* updated crd with namespace selector

Signed-off-by: NoSkillGirl <singhpooja240393@gmail.com>

* added logic for validate

Signed-off-by: NoSkillGirl <singhpooja240393@gmail.com>

* added condition in utils for namespace labels

Signed-off-by: NoSkillGirl <singhpooja240393@gmail.com>

* added function for extracting namespace label using lister

Signed-off-by: NoSkillGirl <singhpooja240393@gmail.com>

* added logic for generate

Signed-off-by: NoSkillGirl <singhpooja240393@gmail.com>

* added lister in generate

Signed-off-by: NoSkillGirl <singhpooja240393@gmail.com>

* commented generate controller changes

Signed-off-by: NoSkillGirl <singhpooja240393@gmail.com>

* added ns lister

Signed-off-by: NoSkillGirl <singhpooja240393@gmail.com>

* added ns label in apply.go

Signed-off-by: NoSkillGirl <singhpooja240393@gmail.com>

* added ns label in generation.go

Signed-off-by: NoSkillGirl <singhpooja240393@gmail.com>

* added ns label in mutation.go

Signed-off-by: NoSkillGirl <singhpooja240393@gmail.com>

* added ns label for validation

Signed-off-by: NoSkillGirl <singhpooja240393@gmail.com>

* using dynaminc informer

Signed-off-by: NoSkillGirl <singhpooja240393@gmail.com>
 2021-02-03 13:09:42 -08:00
Jim Bugwadia
e8e3b93a5f
api server lookups (#1514) 
* initial commit for api server lookups

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* initial commit for API server lookups

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* Enhancing dockerfiles (multi-stage) of kyverno components and adding non-root user to the docker images (#1495)

* Dockerfile refactored

Signed-off-by: Raj Babu Das <mail.rajdas@gmail.com>

* Adding non-root commands to docker images and enhanced the dockerfiles

Signed-off-by: Raj Babu Das <mail.rajdas@gmail.com>

* changing base image to scratch

Signed-off-by: Raj Babu Das <mail.rajdas@gmail.com>

* Minor typo fix

Signed-off-by: Raj Babu Das <mail.rajdas@gmail.com>

* changing dockerfiles to use /etc/passwd to use non-root user'

Signed-off-by: Raj Babu Das <mail.rajdas@gmail.com>

* minor typo

Signed-off-by: Raj Babu Das <mail.rajdas@gmail.com>

* minor typo

Signed-off-by: Raj Babu Das <mail.rajdas@gmail.com>
Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* revert cli image name (#1507)

Signed-off-by: Raj Babu Das <mail.rajdas@gmail.com>
Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* Refactor resourceCache; Reduce throttling requests (background controller) (#1500)

* skip sending API request for filtered resource

* fix PR comment

Signed-off-by: Shuting Zhao <shutting06@gmail.com>

* fixes https://github.com/kyverno/kyverno/issues/1490

Signed-off-by: Shuting Zhao <shutting06@gmail.com>

* fix bug - namespace is not returned properly

Signed-off-by: Shuting Zhao <shutting06@gmail.com>

* reduce throttling - list resource using lister

* refactor resource cache

* fix test

Signed-off-by: Shuting Zhao <shutting06@gmail.com>

* fix label selector

Signed-off-by: Shuting Zhao <shutting06@gmail.com>

* fix build failure

Signed-off-by: Shuting Zhao <shutting06@gmail.com>
Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* fix merge issues

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* fix unit test

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* add nil check for API client

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

Co-authored-by: Raj Babu Das <mail.rajdas@gmail.com>
Co-authored-by: shuting <shutting06@gmail.com>
 2021-02-01 12:59:13 -08:00
Pooja Singh
0396d5278e
added logic for generate policy with data (#1463) 
* added logic for generate policy with data

Signed-off-by: NoSkillGirl <singhpooja240393@gmail.com>

* debuging data of configmap

Signed-off-by: NoSkillGirl <singhpooja240393@gmail.com>

* removed few print statements

Signed-off-by: NoSkillGirl <singhpooja240393@gmail.com>

* logic for configmap

Signed-off-by: NoSkillGirl <singhpooja240393@gmail.com>

* logic for pod

Signed-off-by: NoSkillGirl <singhpooja240393@gmail.com>

* logic for pod

Signed-off-by: NoSkillGirl <singhpooja240393@gmail.com>

* restructured

Signed-off-by: NoSkillGirl <singhpooja240393@gmail.com>

* removed println

Signed-off-by: NoSkillGirl <singhpooja240393@gmail.com>

* added comments

Signed-off-by: NoSkillGirl <singhpooja240393@gmail.com>

* added test cases

Signed-off-by: NoSkillGirl <singhpooja240393@gmail.com>

* function rename

Signed-off-by: NoSkillGirl <singhpooja240393@gmail.com>

* removed comment

Signed-off-by: NoSkillGirl <singhpooja240393@gmail.com>

* small improvement

Signed-off-by: NoSkillGirl <singhpooja240393@gmail.com>

* extract annotation and label

Signed-off-by: NoSkillGirl <singhpooja240393@gmail.com>

* fixed test cases

Signed-off-by: NoSkillGirl <singhpooja240393@gmail.com>

* extract annotation and label from updated target resource

Signed-off-by: NoSkillGirl <singhpooja240393@gmail.com>

* updated test cases

Signed-off-by: NoSkillGirl <singhpooja240393@gmail.com>
 2021-01-27 10:11:22 -08:00
NoSkillGirl
e67747260b generate refactorings 2021-01-04 15:19:06 +05:30
Jim Bugwadia
68474a9dd2 skip validation patterns for delete requests 2021-01-02 01:10:14 -08:00
NoSkillGirl
fabe9ee8aa added update logic in ResourceMutation 2020-12-30 00:12:36 +05:30
NoSkillGirl
9913af0253 adding GR for older GR's 2020-12-29 15:35:12 +05:30
NoSkillGirl
430184add4 updated comment 2020-12-28 13:28:26 +05:30
NoSkillGirl
bf7356d8f6 fixed updation of clone source 2020-12-24 18:39:23 +05:30
NoSkillGirl
371b79fc36 small fix 2020-12-24 12:41:54 +05:30
NoSkillGirl
0a84225dff goroutine added for GR 2020-12-24 12:29:28 +05:30
NoSkillGirl
ddc17d1983 fixed syntax error 2020-12-24 12:28:32 +05:30
NoSkillGirl
068ec5922f changed label prefix 2020-12-24 12:28:32 +05:30
NoSkillGirl
a2f3709985 corrected label 2020-12-24 12:28:32 +05:30
NoSkillGirl
53e2e38cd3 enqueing gr on getting deleted 2020-12-24 12:28:32 +05:30
Jim Bugwadia
e2f10c6f83 update validation logic 2020-12-23 15:10:07 -08:00
shuting
d0347afa59
Fix invalid failure event for generate policy (#1413) 
* reduce RCR throttling requests by merging policy application (policy - namespace) results into single RCR

* - refactor policy controller; - fix RCR issue

* - refactor RCR controller; - fix cpolr on ns update; - reduce throttling when getting resources; - fix tests

* update CRD schema

* fix typo

* fix invalid generate failure event
 2020-12-22 11:07:31 -08:00
Jim Bugwadia
c77944ddef
filter resources excluded in config (#1404) 2020-12-16 12:29:16 -08:00
shuting
5f70f5feec
fixes #1399 (#1400) 2020-12-15 15:21:39 -08:00
Pooja Singh
bff7229678
1345 use GR lister (#1387) 
* improved log message

* added lister for GR

* added label to GR

* added wait for cache is sync
 2020-12-14 14:52:13 -08:00
shuting
2ec5a0fa42
1319 fix throttling (#1348) 
* fix policy status and generate controller issues

* shorten ACTION column name

* update logs

* improve naming

* add temp logs for troubleshooting

* cleanup logs

* apply generate policy to old & new resource in webhook

* cleanup log messages

* cleanup log messages

* cleanup log messages

* fix clean up of policy report in init container

Co-authored-by: Jim Bugwadia <jim@nirmata.com>
 2020-12-01 12:30:08 -08:00
Jim Bugwadia
2344b2c305
1319 fix throttling (#1341) 
* fix policy status and generate controller issues

* shorten ACTION column name

* update logs

Co-authored-by: Shuting Zhao <shutting06@gmail.com>
 2020-11-30 11:22:20 -08:00
Jim Bugwadia
ec95724e97
update webhook registration and monitor (#1318) 
* update webhook registration and monitor

* update log

* fix test

* improve logs

* improve logs

* format changes

* decrease interval for webhook config checks
 2020-11-26 16:07:06 -08:00
shuting
5e07ecc5f3
Add Policy Report (#1229) 
* add report in cli

* policy report crd added

* policy report added

* configmap added

* added jobs

* added jobs

* bug fixed

* added logic for cli

* common function added

* sub command added for policy report

* subcommand added for report

* common package changed

* configmap added

* added logic for kyverno cli

* added logic for jobs

* added logic for jobs

* added logic for jobs

* added logic for cli

* buf fix

* cli changes

* count bug fix

* docs added for command

* go fmt

* refactor codebase

* remove policy controller for policyreport

* policy report removed

* bug fixes

* bug fixes

* added job trigger if needed

* job deletation logic added

* build failed fix

* fixed e2e test

* remove hard coded variables

* packages adde

* improvment added in jobs sheduler

* policy report yaml added

* cronjob added

* small fixes

* remove background sync

* documentation added for report command

* remove extra log

* small improvement

* tested policy report

* revert hardcoded changes

* changes for demo

* demo changes

* resource aggrigation added

* More changes

* More changes

* - resolve PR comments; - refactor jobs controller

* set rbac for jobs

* add clean up in job controller

* add short names

* remove application scope for policyreport

* move job controller to policyreport

* add report logic in command apply

* - update policy report types;  - upgrade k8s library; - update code gen

* temporarily comment out code to pass CI build

* generate / update policyreport to cluster

* add unit test for CLI report

* add test for apply - generate policy report

* fix unit test

* - remove job controller; - remove in-memory configmap; - clean up kustomize manifest

* remove dependency

* add reportRequest / clusterReportRequest

* clean up policy report

* generate report request

* update crd clusterReportRequest

* - update json tag of report summary; - update definition manifests; -  fix dclient creation

* aggregate reportRequest into policy report

* fix unit tests

* - update report summary to optional; - generate clusterPolicyReport; - remove reportRequests after merged to report

* remove

* generate reportRequest in kyverno namespace

* update resource filter in helm chart

* - rename reportRequest to reportChangeRequest; -rename clusterReportRequest to clusterReportChangeRequest

* generate policy report in background scan

* skip generating report change request if there's entry results

* fix results entry removal when policy / rule gets deleted

* rename apiversion from policy.kubernetes.io to policy.k8s.io

* update summary.* to lower case

* move reportChangeRequest to kyverno.io/v1alpha1

* remove policy report flag

* fix report update

* clean up policy violation CRD

* remove violation CRD from manifest

* clean up policy violation code - remove pvGenerator

* change severity fields to lower case

* update import library

* set report category

Co-authored-by: Yuvraj <yuvraj.yad001@gmail.com>
Co-authored-by: Yuvraj <10830562+evalsocket@users.noreply.github.com>
Co-authored-by: Jim Bugwadia <jim@nirmata.com>
 2020-11-09 11:26:12 -08:00
Shuting Zhao
cdc5190c56 update nirmata/kyverno to kyverno/kyverno 2020-10-07 11:12:31 -07:00
Mohan B E
51ac382c6c
Feature/configmaps var 724 (#1118) 
* added configmap data substitution for foreground mutate and validate

* added configmap data substitution for foreground mutate and validate fmt

* added configmap lookup for background

* added comments to resource cache

* added configmap data lookup in preConditions

* added parse strings in In operator and configmap lookup docs

* added configmap lookup docs

* modified configmap lookup docs
 2020-09-22 14:11:49 -07:00
Yuvraj
b7524467a3
Reconcile Generate request on policy update (#1096) 
* policy report crd added

* added namespaced rule

* remove extra field from crd

* revert crd change

* remove policy report chnages

* remove policy report chnages

* remove policy report chnages

* remove policy report chnages

* added logic for gr

* revert changes

* fixed generate rules

* fixed generate rules

* fixed generate rules

* fixed generate rules

* remove extra logs

* remove extra logs

* fixed e2e test

* remove extra logs

* crd issue resolved

* added check for sync

* add labels update

* add label update

* added permission to role

* roles added to helm

* roles added to helm
 2020-09-03 14:34:23 -07:00
Mohan B E
118b40c644
added invalid field validation for policy (#1094) 2020-09-03 22:14:54 +05:30
Yuvraj
2641120907
Generate policy does not work on namespace update (#1085) 
* added logic for handling generate request

* generate rules added

* added label condition for generate

* remove extra logs

* remove extra logs

* buf fixed

* bug fixed

* added logic for delete gr

* log fixed

* documentation changed

* remove best practices changes

* bug fix

* added best pratice
 2020-08-31 11:25:13 -07:00
shuting
d6062fdd47
Add go fmt (#1055) 
* remove empty flag

* format code

* revert change in install.yaml
 2020-08-14 12:21:06 -07:00
Yuvraj
73840e3c5f
configrable rules added (#1017) 
* configrable rules added

* fix exclude group logic from code

* flag added in yaml

* exclude username added

* exclude username added

* config interface implimented

* configure exclude username

* get role ref

* test case fixed

* panic fix

* move from interface to slice

* exclude added in mutate

* trim strings

* configmap changes added

* kustomize changes for configmap

* k8s resources added
 2020-08-07 17:09:24 -07:00
shuting
75a7543c6d
Events fix (#1006) 
* remove success event

* remove event success message

* remove events generated on clusterpolicy
 2020-07-20 20:30:02 +05:30
Yuvraj
4535f43283
Added Synchronize flag in Generate Request (#980) 
* fix Synchronize flag issue
 2020-07-14 02:12:11 +05:30
shuting
87fa77fbcc
965 add validate audit handler (#967) 
* store policy names cache to reduce lookup time

* add validate audit handler

* fix #958, remove auto-gen annotation on Pod

* formatting code

* update processTime to readable format

* #586, add back unit test

* update logging info

* remove unused interface

* handle generate policy in a single thread in weboook

* resolve pr comments
 2020-07-09 11:48:34 -07:00
shuting
ed52bd3d9f
Add policy cache based on policyType (#960) 
* add policy cache based on policyType

* fetch policy from cache in webhook

* add unit test for policy cache

* update log for exclude resources filter

* skip webhook mutation on DELETE operation

* remove duplicate k8s version check

* add description
 2020-07-02 12:49:10 -07:00
Yuvraj
01724d63cf
Synchronize data for generated resources (#933) 
* Generate request added fro update resource

* synchronize flag added

* documentation added for keeping resource synchronized

Signed-off-by: Yuvraj <yuvraj.yad001@gmail.com>
 2020-06-23 07:19:43 +05:30